Hone "Deobfuscated"
"Obfuscated" batch files from https://discord.gg/Hone, but deobfuscated (if you can call it that). It's quite simple.
The original file will download another script via Powershell, we're going to use Anti-Tracking.cmd as an example.
powershell Invoke-WebRequest "https://cdn.discordapp.com/attachments/798652558351794196/870846920778735636/DEOBANTITRACK.cmd" -OutFile "%temp%\DEOBANTITRACK.cmd" >nul 2>&1 - this is downloading DEOBANTITRACK.cmd from their Discord.
From DEOBANTITRACK.cmd they use certutil as an encoder for their final script. Certutil outputs this script.
CERTUTIL -f -decode "%~f0" "%Temp%\Honerandomthingthatyoudontwanttoseeipromisepleasejustgetoutofhere.bat" >nul 2>&1 outputs Honerandomthingthatyoudontwanttoseeipromisepleasejustgetoutofhere.bat at your temp directory which is the Anti-Tracking.cmd file.
However, there's some "obfuscation", a bunch of chinese characters. You can remove it via HxD.
This is their "obfuscation":
FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A or...
ÿþ&cls ÿþ&cls ÿþ&cls ÿþ&cls ÿþ&cls ÿþ&cls ÿþ&cls ÿþ&cls
Removing those characters from HxD outputs the true script, and thus the truth is revealed.
It's the same thing applied to the obfuscated scripts as of August 2nd, 2021.
This "challenge" was brought to you by 323170806190440449 / jonathah#1221
